On 14/10/10 05:56, Zooko O'Whielacronx wrote:
What if a hash has 512-bit collision-resistance? What would that mean?
That an attacker might spend about 2^512 resources to find a collision
in it? That is a meaningless possibility to discuss since 2^512
resources will never exist in the life of this universe, so it can't
mean that, or if it does mean that then there is no use in talking
about "512-bit collision-resistance". Maybe it means something else?
In any case, I'm pretty sure that as a *user* of hash functions what I
care about is "more likely to fail" (and efficiency), not about "bits
of security" for any bit-level greater than about 128 (including
consideration of quantum attacks, multi-target attacks, etc.)
I agree re 512 bits but 128 bits seems low if you have secrets to keep
from the far future. According to this page a 256-bit cipher is the work
of minutes to brute-force for a computer the mass of the Earth working
close to physical limits of computation:
http://en.wikipedia.org/wiki/Bremermann%27s_limit
From my calculations, if the entire Virgo Supercluster were turned into
computronium for a trillion years it could make at most ~2^383
computational steps.
http://en.wikipedia.org/wiki/Virgo_Supercluster
log((10^15) ⋅ 1.98892 ⋅ (10^30) ⋅ (2.56 ⋅ (10^50)) ⋅ 86400 ⋅ 365 ⋅
(10^12), 2) ≈ 382.70493
This is before considering multi-target attacks or quantum attacks.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
